Penetration Testing mailing list archives
Re: (preparing for)Pentesting firewall /Checkpoint box
From: David Howe <DaveHowe.Pentest () googlemail com>
Date: Wed, 19 Aug 2009 15:37:06 +0100
Todd Haverkos wrote:
I'd advise against fearing the paid pentest, or contribute to a "rubber stamp" mentality in the company that'll undermine the value you can get from a penetration test. I can't recall who said it at which defcon, but the quote was "People don't want to be secure. They want to have a rubber stamp that says they're secure." Such a thought really impairs improving things, so it's definitely a mindset to avoid.
I disagree. While it is good that vulnerabilities are found, having your shortcomings listed in a formal report to your boss and his boss is often a significant career- and wage- limiting move. It would be better if, on a weekly or monthly basis, you knew how to check your own boxes, and fixed (on a weekly or monthly basis) anything you found, rather than relying on a once-per-year-at-most external pentest that might miss an item anyhow. if the external test finds nothing *because you already found and patched two months prior* then you not only get to give a sigh of relief, but you will never know if your company would have lost a million dollars due to a hacker attack *that never happened because you found and patched the vulnerability months ago* that would have happened anyhow because by the time your external pentest company did their test, wrote up a formal report, gave it to your manager, who then spent his time looking to deflect blame from himself and then acquired budget to get a consultant in to fix the issue, they would have been in and gone. that is why I am here - I am not a pentester, I am a network admin who wants to protect his own systems the best that he can, rather than rely on an external test once per year to present the output of nessus and recommend we update the dlls on a netware server.... ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- (preparing for)Pentesting firewall /Checkpoint box pent 5971 (Aug 18)
- Re: (preparing for)Pentesting firewall /Checkpoint box Francois Yang (Aug 18)
- Re: (preparing for)Pentesting firewall /Checkpoint box ml10024 (Aug 18)
- Re: (preparing for)Pentesting firewall /Checkpoint box Wim Remes (Aug 19)
- Re: (preparing for)Pentesting firewall /Checkpoint box Todd Haverkos (Aug 18)
- Re: (preparing for)Pentesting firewall /Checkpoint box David Howe (Aug 19)
- RE: (preparing for)Pentesting firewall /Checkpoint box Gorgon Beast (Aug 19)
- Re: (preparing for)Pentesting firewall /Checkpoint box JiPi DiNi (Aug 19)
- Re: (preparing for)Pentesting firewall /Checkpoint box Matt Gardenghi (Aug 19)